NETCEASE finding too old

Hi Joe,

as I do not use the netcease script anymore, because it is too old and the current windows security settings are more secure this should be mentioned or the finding needs to be removed. Otherwise using the netcease script will reduce security. The link to the Netcease script should be removed and/or the finding needs an updated text.

Finding/RiskID: A-NoNetSessionHardening

So I am sharing my notes with you wich I quickly translated from german.
New operatingsystems already have better security settings as the NetCease script would apply.

If you would anyways like to apply a hardening measurement for this, then analyzing the current permissions and configuring it with GPP or a custom ADM(X)-File could be a more administrative way. Also Powershell to modify a GPOs Administrative Templates without an ADM(X)-file.

Just for example here the values that could/would be set:

# NetCease script expected default
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity' -Name SrvsvcSessionInfo -Value (
                1,0,4,128,120,0,0,0,132,0,0,0,
                0,0,0,0,20,0,0,0,2,0,100,0,
                4,0,0,0,0,0,24,0,19,0,15,0,
                1,2,0,0,0,0,0,5,32,0,0,0,
                32,2,0,0,0,0,24,0,19,0,15,0,
                1,2,0,0,0,0,0,5,32,0,0,0,
                37,2,0,0,0,0,24,0,19,0,15,0,
                1,2,0,0,0,0,0,5,32,0,0,0,
                35,2,0,0,0,0,20,0,1,0,0,0,
                1,1,0,0,0,0,0,5,11,0,0,0,
                1,1,0,0,0,0,0,5,18,0,0,0,
                1,1,0,0,0,0,0,5,18,0,0,0 -as [byte[]] )


# NetCease script expected secure configuration
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity' -Name SrvsvcSessionInfo -Value (
                1,0,4,128,20,0,0,0,32,0,0,0,
                0,0,0,0,44,0,0,0,1,1,0,0,
                0,0,0,5,18,0,0,0,1,1,0,0,
                0,0,0,5,18,0,0,0,2,0,140,0,
                6,0,0,0,0,0,20,0,255,1,31,0,
                1,1,0,0,0,0,0,5,3,0,0,0,
                0,0,20,0,255,1,31,0,1,1,0,0,
                0,0,0,5,4,0,0,0,0,0,20,0,
                255,1,31,0,1,1,0,0,0,0,0,5,
                6,0,0,0,0,0,24,0,19,0,15,0,
                1,2,0,0,0,0,0,5,32,0,0,0,
                32,2,0,0,0,0,24,0,19,0,15,0,
                1,2,0,0,0,0,0,5,32,0,0,0,
                35,2,0,0,0,0,24,0,19,0,15,0,
                1,2,0,0,0,0,0,5,32,0,0,0,
                37,2,0,0 -as [byte[]] )

# New Version of security settings - starting with Windows 10/11, Server 2022 Default at a certain (very old) update
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity' -Name SrvsvcSessionInfo -Value (
                 1,0,4,128,160,0,0,0,172,0,0,0,
                 0,0,0,0,20,0,0,0,2,0,140,0,
                 6,0,0,0,0,0,24,0,19,0,15,0,
                 1,2,0,0,0,0,0,5,32,0,0,0,
                 32,2,0,0,0,0,24,0,19,0,15,0,
                 1,2,0,0,0,0,0,5,32,0,0,0,
                 37,2,0,0,0,0,24,0,19,0,15,0,
                 1,2,0,0,0,0,0,5,32,0,0,0,
                 35,2,0,0,0,0,20,0,1,0,0,0,
                 1,1,0,0,0,0,0,5,4,0,0,0,
                 0,0,20,0,1,0,0,0,1,1,0,0,
                 0,0,0,5,6,0,0,0,0,0,20,0,
                 1,0,0,0,1,1,0,0,0,0,0,5,
                 3,0,0,0,1,1,0,0,0,0,0,5,
                 18,0,0,0,1,1,0,0,0,0,0,5,
                 18,0,0,0 -as [byte[]] ) 

# if someone prefers GPP:
New-GPO -Name “NetSessionEnumeration”
Set-GPPrefRegistryValue -Name “NetSessionEnumeration” -Context Computer -Key “HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity” -ValueName “SrvsvcSessionInfo” -Value (
1,0,4,128,160,0,0,0,172,0,0,0,
0,0,0,0,20,0,0,0,2,0,140,0,
6,0,0,0,0,0,24,0,19,0,15,0,
1,2,0,0,0,0,0,5,32,0,0,0,
32,2,0,0,0,0,24,0,19,0,15,0,
1,2,0,0,0,0,0,5,32,0,0,0,
37,2,0,0,0,0,24,0,19,0,15,0,
1,2,0,0,0,0,0,5,32,0,0,0,
35,2,0,0,0,0,20,0,1,0,0,0,
1,1,0,0,0,0,0,5,4,0,0,0,
0,0,20,0,1,0,0,0,1,1,0,0,
0,0,0,5,6,0,0,0,0,0,20,0,
1,0,0,0,1,1,0,0,0,0,0,5,
3,0,0,0,1,1,0,0,0,0,0,5,
18,0,0,0,1,1,0,0,0,0,0,5,
18,0,0,0 -as [byte] ) -Type Binary -Action Update
New-GPLink -Name “NetSessionEnumeration” -Target “DC=example,DC=com”
gpupdate

When registry value gets applied, a restart of LANMANSERVER is required:

Restart-Service -Name LanmanServer -Force -Verbose

Default for new OS:

Get-NetSessionEnumPermission | ft

TranslatedSID            BinaryLength  AceQualifier IsCallback OpaqueLength AccessMask SecurityIdentifier       AceType AceFlags IsInherited
-------------            ------------  ------------ ---------- ------------ ---------- ------------------       ------- -------- -----------
NT AUTHORITY\BATCH                 20 AccessAllowed      False            0          1 S-1-5-3            AccessAllowed     None       False
NT AUTHORITY\INTERACTIVE           20 AccessAllowed      False            0          1 S-1-5-4            AccessAllowed     None       False
NT AUTHORITY\SERVICE               20 AccessAllowed      False            0          1 S-1-5-6            AccessAllowed     None       False
BUILTIN\Administrators             24 AccessAllowed      False            0     983059 S-1-5-32-544       AccessAllowed     None       False
                                   24 AccessAllowed      False            0     983059 S-1-5-32-547       AccessAllowed     None       False
BUILTIN\Server Operators           24 AccessAllowed      False            0     983059 S-1-5-32-549       AccessAllowed     None       False

Default for older OS:

Get-NetSessionEnumPermission | ft

TranslatedSID                          BinaryLength  AceQualifier IsCallback OpaqueLength AccessMask SecurityIdentifier       AceType AceFlags IsInherited
-------------                          ------------  ------------ ---------- ------------ ---------- ------------------       ------- -------- -----------
NT-AUTORITÄT\Authentifizierte Benutzer           20 AccessAllowed      False            0          1 S-1-5-11           AccessAllowed     None       False
VORDEFINIERT\Administratoren                     24 AccessAllowed      False            0     983059 S-1-5-32-544       AccessAllowed     None       False
                                                 24 AccessAllowed      False            0     983059 S-1-5-32-547       AccessAllowed     None       False
VORDEFINIERT\Server-Operatoren                   24 AccessAllowed      False            0     983059 S-1-5-32-549       AccessAllowed     None       False

Wrong/Old NetCease Script:

Get-NetSessionEnumPermission | ft

TranslatedSID            BinaryLength  AceQualifier IsCallback OpaqueLength AccessMask SecurityIdentifier       AceType AceFlags IsInherited
-------------            ------------  ------------ ---------- ------------ ---------- ------------------       ------- -------- -----------
NT AUTHORITY\BATCH                 20 AccessAllowed      False            0    2032127 S-1-5-3            AccessAllowed     None       False
NT AUTHORITY\INTERACTIVE           20 AccessAllowed      False            0    2032127 S-1-5-4            AccessAllowed     None       False
NT AUTHORITY\SERVICE               20 AccessAllowed      False            0    2032127 S-1-5-6            AccessAllowed     None       False
BUILTIN\Administrators             24 AccessAllowed      False            0     983059 S-1-5-32-544       AccessAllowed     None       False
                                   24 AccessAllowed      False            0     983059 S-1-5-32-547       AccessAllowed     None       False
BUILTIN\Server Operators           24 AccessAllowed      False            0     983059 S-1-5-32-549       AccessAllowed     None       False

Accessmask:

Unresolvable SID “S-1-5-32-547” is called “DOMAIN_ALIAS_RID_SYSTEM_OPS” (Source: Well-known SIDs - Win32 apps | Microsoft Learn)

Accessmask Permissions (Source: ADS_RIGHTS_ENUM (iads.h) - Win32 apps | Microsoft Learn):

This should be the most relevant data from my notes.

I don’t say this finding is irrelevant, because as long as there are old/unsecure windows versions it needs to be reconfigured. Up to date environments should not have a security issue here, but it should be configured in any case by GPO so a global default gets enforced.

best regards

Andi/Andy/An-Dir/Andreas Rinner

Hi Andy,
Thanks for the detailed feedback. You are absolutely correct here from what I can tell from a quick look.

I think we will have to check for versions prior to Windows 10 version 1607 and Windows Server 2016 based on their docs - Network access - Restrict clients allowed to make remote calls to SAM - Windows 10 | Microsoft Learn

If we find versions older than those enabled then we can trigger and if not then we don’t. Does that logic sound right to you? Is there anything I am missing?

Cheers,
Joe

Hi @joe.dibley

Thanks for your feedback and for providing the correct MS link.

I think your suggestion would work in most cases, but there is also a small chance that someone has run the NetCease script, applied settings through GPO which are not very strong, or applied even worse settings.

Therefore, you could perform a rough validation based on the existence of enabled/linked GPOs. This would require checking that the GPOs:

1. a registry value for “HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity” SrvsvcSessionInfowith the Value not having Everyone (S-1-1-0) Anonymous (S-1-5-7) AuthenticatedUsers (S-1-5-11) or DomainUsers (S-1-5-21-<DomainID>-513) is linked/enabled
2. and NO registry value with the named groups above is linked/enabled.

In this case, a deployed Netcease PowerShell script would not be detected. However, until now, PingCastle has not validated script contents. If you would like to start doing that, you could validate the contents of all *.ps1 script files that were already detected in the report by checking if any of them contain “SrvsvcSessionInfo“ AND ”LanmanServer” or "NetSessionEnumPermission”

Perfect idea. Yes, Vincent kept it lite touch on validation and more just checking someone did something with the value.

I will put a bunch more thought into this and see if I can come up with something that should be useful for you and our other customers and run it by you once I have something